AWS CloudFormation Stack update error: Requires capabilities : [CAPABILITY_IAM]

Question

When creating a stack with CloudFormation, I get this error:

Stack update error: Requires capabilities : [CAPABILITY_IAM]

I can't find a template for adding CAPABILITIES_IAM to the CloudFormation configuration.

What are the options for resolving CAPABILITIES_IAM errors?

score 145 · Accepted Answer · edited Sep 17 '20 at 16:18

Turns out you need to check a box on the last screen of the stack creation. If you are using the console, just above the 'create stack' button there's a box asking you to acknowledge that you want to allow Cloudformation to modify IAM stuff. You can, of course, create the stack without the acknowledgement, which will cause the stack to fail with the CAPABILITY_IAM error (or another error, if a different capability is required).

In CodePipeline CloudFormation you can add it like this to allow execution of the created change_set in the deploy action:

Configuration:
        StackName: !Ref GitHubRepository
        ActionMode: CHANGE_SET_REPLACE
        Capabilities: CAPABILITY_NAMED_IAM
        RoleArn: arn:aws:iam::818272543125:role/events-list-codepiplinerole
        ChangeSetName: !Join ["",[!Ref GitHubRepository, "-changeset"]]
        TemplatePath: MyAppBuild::sam_post.yaml

In the aws cli append

--capabilities CAPABILITY_IAM

or

--capabilities CAPABILITY_NAMED_IAM

To your command like this:

aws cloudformation create-stack --stack-name message-store --template-body file://bucket_with_keys.yaml --parameters file://cfg_bucket_with_keys.json --capabilities CAPABILITY_NAMED_IAM

This does not apply to cloudformation --validate-template as it is not actually creating the resources.

for the new AWS CLI version, it should be `--capabilities CAPABILITY_NAMED_IAM ` — Chau Giang, Sep 16 '22 at 10:59
For more information see https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html — Edward Moffett, Jun 14 '23 at 12:00

score 12 · Answer 2 · answered Dec 21 '16 at 11:34

12

If you are using the AWS CLI, you can add an extra parameter to the aws cloudformation create-stack command that explicitly states you want these capabilities provided.

(this is the CLI equivalent of ticking the checkbox in the other answer here).

The parameter is --capabilities CAPABILITY_IAM, so your command would look like:

aws cloudformation create-stack --stack-name $STACK_NAME --capabilities CAPABILITY_IAM

Hope that helps

answered Dec 21 '16 at 11:34

gsaslis

3,066
2
26
32

Thanks for the reminder of the cli param. Added that and full code example above. – Eric Nord Jan 18 '17 at 15:29
1

Am I wrong or does not not work with `validate-template`?? My full command: `aws cloudformation validate-template --template-body file://sqs-template.yml --capabilities CAPABILITY_IAM` – Michael M Jan 19 '17 at 23:35
2

I came here wondering the same thing. If you see the "error" `"CapabilitiesReason": "The following resource(s) require capabilities: [AWS::IAM::Role]"` then that just means your template is valid and you'll have to specify the return capability when creating the stack. [Source](http://docs.aws.amazon.com/cli/latest/reference/cloudformation/validate-template.html) – Matt Klein Jun 11 '17 at 16:22
Template will validate without the command - it is only needed when creating the stack – Eric Nord Jul 27 '18 at 16:47
3

There's a github issue talking about this as well: https://github.com/awslabs/serverless-application-model/issues/51 – Keeton Hodgson Feb 08 '19 at 19:41

score 9 · Answer 3 · answered Feb 25 '21 at 14:25

9

Just above the create stack button, turn on acknowledge in the console.

answered Feb 25 '21 at 14:25

Aasim ali

318
4
6

score 2 · Answer 4 · answered Oct 17 '22 at 13:11

2

In case someone comes here from Google (like I did) and is using Terraform, make sure you add a capabilities argument:

resource "aws_cloudformation_stack" "cloudformation_stack" {
  # ...
  capabilities = [ "CAPABILITY_IAM" ]
}

answered Oct 17 '22 at 13:11

Bob VanLonkhuyzen

105
2
9

Benjamin SH · Answer 5 · 2022-10-19T03:47:28.240

1

If "CAPABILITY_IAM" is not supported, you can try "CAPABILITY_NAMED_IAM"

https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html

edited Oct 19 '22 at 03:47

answered Oct 09 '22 at 04:51

Benjamin SH

11
2

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Oct 18 '22 at 00:54

score 0 · Answer 6 · answered Oct 21 '22 at 21:58

0

If anybody face the same problem trying to deploy using SAM, you just need to add the --capabilities flag:

sam deploy --guided --capabilities CAPABILITY_NAMED_IAM

using-iam-capabilities

answered Oct 21 '22 at 21:58

Santiago Ortiz Ceballos

152
2
7

AWS CloudFormation Stack update error: Requires capabilities : [CAPABILITY_IAM]

6 Answers6

Linked